Who Should The DPO Be?

On the surface, choosing a DPO can sound like a difficult problem, but it really isn’t.

The DPO has to be a named person and it’s your choice whether they be full time or part-time in the role. That will very much depend on the workload.

The best place to start is by looking at what roles you have in place already. It’s quite possible you actually have a DPO somewhere in the organisation, or at the very least have informally designated someone previously. Do some digging to check this base isn’t already covered.

The next step is to exclude your operational IT and security personnel, due to a clear conflict of interest. The GDPR states that the DPO must not be conflicted by having a dual role of governing data protection whilst also defining how data is managed. You can’t be both a poacher and gamekeeper. In the real world, this means that an IT Manager, IT Director, CTO or Security Manager are highly unlikely to be able to also be a DPO. Additionally, you may find other positions that represent a conflict, such as a Marketing Manager. Be wary of these conflicts.

The DPO role is fundamentally about governance and compliance. In turn, this sits naturally with legal and Security Governance teams. Larger organisations will have an in-house counsel (lawyer) who could be a DPO. They may also have a separation of operational IT Security and Security Governance teams. This separation usually results in the Governance function sitting outside of IT, which removes the conflict of interest for a DPO. A Chief Information Security Officer “CISO” means many things to many people, and could sit both inside and outside of IT, so don’t assume that this position could automatically hold the DPO role without conflict.